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Abstract. We give deterministic polynomial-time algorithms that, given an order, compute the 
primitive idempotents and determine a set of generators for the group of roots of unity in the 
order. Also, we show that the discrete logarithm problem in the group of roots of unity can be 
solved in polynomial time. As an auxiliary result, we solve the discrete logarithm problem for 
certain unit groups in finite rings. Our techniques, which are taken from commutative algebra, 
may have further potential in the context of cryptology and computer algebra. 


1. Introduction 

An order is a commutative ring whose additive group is isomorphic to Z" for some non-negative 
integer n. The present paper contains algorithms for computing the idempotents and the roots of 
unity of a given order. 

In algorithms, we specify an order A by listing a system of “structure constants” a^fc G Z with 
i,j,k G {l,2,...,n}; these determine the multiplication in A in the sense that for some Z-basis 
ei, 62 ,..., Cji of the additive group of A, one has CiCj = X]fc=i o-ijk^k for all i,j. The elements of A 
are then represented by their coordinates with respect to that basis. 

An idempotent of a commutative ring R is an element e G i? with = e, and we denote by id(i?) 
the set of idempotents. An idempotent e G id(i?) is called primitive if e ^ 0 and for all e' G id(i?) 
one has ee' G {0,e}; let prid(ii) denote the set of primitive idempotents of R. 

Orders A have only finitely many idempotents, but they may have more than can be listed 
by a polynomial-time algorithm; however, if one knows prid(A), then one implicitly knows id(A), 
since there is a bijection from the set of subsets of prid(A) to id(A) that sends W C prid(A) to 
ew = Seew ® ^ id(A). For prid(A) we have the following result. 

Theorem 1.1. There is a deterministic polynomial-time algorithm ( Alaorithm \6.1\) that, given an 
order A, lists all primitive idempotents of A. 

A root of unity in a commutative ring R is an element of finite order of the group R* of invertible 
elements of R] we write pt{R) for the set of roots of unity in R, which is a subgroup of R*. 

As with idempotents, orders A have only finitely many roots of unity, but possibly more than can 
be listed by a polynomial-time algorithm, and to control p.{A) we shall use generators and relations. 
If S' is a finite system of generators for an abelian group G, then by a set of defining relations for 
S we mean a system of generators for the kernel of the surjective group homomorphism Z'^ —>■ G, 

(™s)ses ^ rises s'""- 
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Theorem 1.2. There is a deterministic polynomial-time algorithm (Alaorithm \13. 2\) that, given an 
order A, produces a set S of generators of p,{A), as well as a set of defining relations for S. 

Theorem 11.21 which provides a key ingredient in an algorithm for lattices with symmetry that 
was recently developed by the authors 017], is our main result, and its proof occupies most of the 
paper. It makes use of several techniques from commutative algebra that so far have found little 
employment in an algorithmic context. A sketch appeared in Proposition 4.7 of 0. 

We shall also obtain a solution to the discrete logarithm problem in ^(A) and all its subgroups, 
and more generally in all subgroups of the group /i(A (g)z Q), which is still finite. Note that A 0z Q 
is a ring containing A as a subring, and that a Z-basis for A is a Q-basis for the additive group of 
A Q. If one replaces /r(A) by fj,(A (g>z Q) in Theorem 11.21 then it remains true, and in fact it 
becomes much easier to prove ('Proposition 13.51) . Our solution to the discrete logarithm problem in 
®z Q) and all of its subgroups, in particular in /r(A), reads as follows. 

Theorem 1.3. There is a deterministic polynomial-time algorithm that, given an order A, a finite 
system T of elements of p,{A ®z Q); and an element C G A ®z Q, decides whether f belongs to the 
subgroup (T) C /i(A ^z Q) generated by T, and if so finds {mt)teT G with f = OteT • 

We shall prove Theorem ll.3l in section[7l as a consequence of the results on ^(A(g)zQ) in section[3] 
and a number of formal properties of “efficient presentations” of abelian groups that are developed 
in section [T] 

A far-reaching generalization of Theorem 11.31 in which fi{A ®z Q) is replaced by the full unit 
group (A (8)z Q)*, is proven in [8]. 

Of the many auxiliary results that we shall use, there are two that have independent interest. 
The first concerns the discrete logarithm problem in certain unit groups of finite rings, and it reads 
as follows. 

Theorem 1.4. There is a deterministic polynomial-time algorithm that, given a finite commutative 
ring R and a nilpotent ideal I C R, produces a set S of generators of the subgroup 1 -\-1 C R*, as 
well as a set of defining relations for S. Also, there is a deterministic polynomial-time algorithm 
that, given R and I as before, as well as a finite system T of elements of \ -\-1 and an element 
C G R, decides whether ( belongs to the subgroup (T) C 1 -I- /, and if so finds {mt)t^T G Z^ with 

c = nt^Tt^*- 

The proof of this theorem is given in section [TTJ It depends on the resemblance of 1 -I- / to the 
additive group I, in which the discrete logarithm problem is easy. 

The second result that we single out for special mention is of a purely theoretical nature. Let R 
be a commutative ring. For the purposes of this paper, commutative rings have an identity element 
1 (which is 0 if and only if the ring is the 0 ring). We call R connected if #id(i?) = 2 or, equivalently, 
if id(i?) = {0,1} and R ^ {0}. A polynomial / G R[X] is called separable (over R) if / and its 
formal derivative /' generate the unit ideal in i?[A]. For example, / = — X is separable because 

(/')2-4/ = 1. 

Theorem 1.5. Let R be a connected commutative ring, and let f G R[X] be separable. Then / ^ 0 
and #{r £ R : /(r) = 0} < deg(/). 

For the elementary proof, see section [8l 

While, technically, one must admit that Theorem 11.51 plays only a modest role in the paper, it 
does convey an important message, namely that zeroes of polynomials that are separable are easier 
to control than zeroes of other polynomials. Thus, X^ — X is separable over any R, while X™ — 1 
(for m G Z>o) is separable if and only if m • 1 £ R*, a condition that for a non-zero order and m > 1 
is never satisfied; accordingly. Theorem 1 1.1 1 is much easier to prove than Theorem 11.21 

We next provide an overview of the algorithms that underlie Theorems ll.ll and ll.2l In both cases, 
one starts by reducing the problem, in a fairly routine manner, to the special case in which each 
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element of A is a zero of some separable polynomial in Q[X]; for the rest of the introduction we 
assume that the latter condition is satisfied. Then the Q-algebra E = A 02 Q can be written as the 
product of finitely many algebraic number helds E/m, with m ranging over the finite set Spec{E) 
of prime ideals of E; hence prid(i?) is in bijection with Spec(i?). The image oi A C E under the 
map E ^ E/m may be identified with the ring A/{mr\ A), so that A becomes a subring of the 
product ring B = nm 6 Spec(E) ^/(’^ this is also an order, and it is “close” to A in the sense 

that the abelian group B/A is hnite. The ring B has many idempotents, in the sense that id(i3) 
equals all of id(E), and #prid(i3) = #Spec(E). To determine which subsets W C prid(i3) give rise 
to idempotents that lie in A, we define a certain graph r(A) with vertex set Spec(£') such that the 
connected components of r(A) correspond exactly to the primitive idempotents of A. This leads to 
Theorem 11.11 

To prove Theorem 11.21 one likewise starts from B, generators for fJ.{B) being easily found by 
standard algorithms from algebraic number theory. However, there is no standard way of computing 
fi{A) = fJ.{B) n A, which is the intersection of a multiplicative group and an additive group, and 
we must proceed in an indirect way. For a prime number p, denote by p{A)p the group of roots of 
unity in A that are of p-power order, and likewise fj,{B)p. Then p{A) is generated by its subgroups 
p{A)p = p{B)p n A, with p ranging over the set of primes dividing //p{B); all these p are “small”. 
It will now suffice to fix p and determine generators for fj,(A)p. To this end, we introduce the 
intermediate order A C C C B defined by C = A[l/p]r\B. The finite abelian group B/C is of order 
coprime to p, and it turns out that this makes it relatively easy to determine fJ.{C)p = p{B)p n C; 
in fact, one of the results fProposition IS.lf bH leading up to Theorem 11.51 stated above shows that 
this can be done by exploiting the graph r(C') that we encountered in the context of idempotents. 
The passage to fJ.{A)p = p{C)p fl A is of an entirely different nature, as C/A is of order a power of 
p. It is here that we have to invoke Theorem II.41 for certain finite rings i? that are of p-power order. 

It is important to realize that the only reason that an intersection such as p(A) = p,{B)r\A is hard 
to compute is that p{B), though finite, may be large —testing each element of fJ-{B) for membership 
in A will not lead to a polynomial-time algorithm. By contrast, the exponent of each group p,{B)p 
is small (Lemma [331 iv)), so results stating that certain subgroups of p{B)p are cyclic—of which 
there are several in the paper—are valuable in obtaining a polynomial bound for the runtime of our 
algorithm. 


2. Definitions and examples 

From now on, when we say commutative Q-algebra we will mean a commutative Q-algebra that 
is finite-dimensional as a Q-vector space. See mm for background on commutative rings and linear 
algebra. 

Definition 2.1. If A is an order whose additive group is isomorphic to Z", we call n the rank of 
A. 

If the number of idempotents in R is finite, then each idempotent is the sum of a unique subset 
of prid(i?), and one has #id(i?) = 

Definition 2.2. A commutative ring R is called connected if //{x G R : x^ = x} = 2. 

Definition 2.3. If i? is a commutative ring, let Spec(i?) denote the set of prime ideals of R. 

Although we do not use it, we point out that a commutative ring R is connected if and only if 
R ^ 0 and R cannot be written as a product of 2 non-zero rings. The definition is motivated by 
the fact that a commutative ring R is connected if and only if Spec(i?) is connected. (A topological 
space is connected if and only if it has exactly 2 open and closed subsets.) 

Notation 2.4. If G is a group and p is a prime number, define 

Gp = {g G G : = 1 for some r G Z>o}. 
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Definition 2.5. Suppose i? is a commutative ring. A polynomial / S is separable over R if 

R[X]f + R[X]f'= R[X], 

where if / = Y.l=o then /' = Y.l=i iatX'‘-^. 

One can show that if / is a monic polynomial over a commutative ring R, then / is separable 
over R if and only if its discriminant is a unit in R. 

Definition 2.6. Suppose if is a commutative Q-algebra. If a G if, then a is separable over Q if 
there exists a separable polynomial / G Q[A'] such that f(a) = 0. Let ifgep denote the set of y G if 
that are separable over Q. We say if is separable over Q if Rsep = 

We note that Bsep is a commutative Q-algebra (see for example Theorem 1.1 of i)- 

Definition 2.7. Suppose i? is a commutative ring. An element a; G i? is called nilpotent if there 
exists n G Z>o such that a;" = 0. An ideal / of i? is called nilpotent if there exists n G Z>o such 
that i” = 0, where is the product of / with itself n times. The set of nilpotent elements of R is 
an ideal, called the nilradical and denoted or ^/Or. 

Examples 2.8. The polynomial X^ — A is separable over every ring. A linear polynomial aX + b 
is separable over R if and only if the i?-ideal generated by a and b is R. If m G Z>o, then the 
polynomial A"* — 1 is separable over R if and only if m • 1 is a unit in R. 

Example 2.9. Suppose /(A) G Z[A] is a monic polynomial of degree n. Then the ring Z[A]/(/) is 
an order of rank n. We remark that the map e i—> gcd(e, /) is a bijection from the set of idempotents 
of Z[A]/(/) to {g G Z[A] : g is monic, g\f, and R{g,f/g) = ±1}, where Rig^f/g) is the resultant 
of g and f/g. 

Example 2.10. If C? is a finite group of order 2n with a fixed element u of order 2, then Z(G) = 
Z[G]/ {u -I- 1) is a connected order of rank n, and fj,{Z{G)) = G (see Remark 16.3 of [7]). 

Example 2.11. If n G Z>o and A = {(oi)"^]^ G Z” : Oi = aj mod 2 for all i,j} with componentwise 
addition and multiplication, then A is a connected order, fJ,{A) = {(±1,..., ±1)}, and #/i(A) = 2". 
For large n, computing a set of generators for /i(A) is feasible, even when listing all elements of fJ,{A) 
is not. 

Example 2.12. Suppose A = Z[^p], where p is a prime and Cp is a primitive p-th root of unity in 
C. Then A has rank p — 1. If p > 2, then p(A) = {(p) x (—1). 

3. Finite Q-algebras 

The following two results are from commutative algebra. These results and basic algorithms for 
commutative Q-algebras are given in [S]. 

Proposition 3.1. If E is a commutative Q-algebra, then the map 

Esep © \/0 ^ A, (x, y) a; + y 

is an isomorphism of Q-vector spaces, and the natural map E —>■ nmeSpec (£;)induces an iso¬ 
morphism of Q-algebras 

Esep A E/m. 

m£Spec(i5) 

In algorithms, we specify a commutative Q-algebra E by listing a system of structure constants 
<iijk G Q that determines the multiplication in E with respect to some Q-basis, just as we did for 
orders in the introduction. 
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Algorithm 3.2. There is a deterministic polynomial-time algorithm that given a commutative Q- 
algebra E, computes a Q-basis for C E, a, Q-basis for ^/O, the map E ^ i?sep 0 VO that is 
the inverse to the first isomorphism from Proposition 13.11 all m G S'pec{E), the fields E/m, and the 
natural maps E —>■ E/m. 

Lemma 3.3. If E is a commutative Q-algebra, then: 

(i) fJ.{E) = fi{Esep) > ®meSpec(E) 

(ii) is finite; 

(hi) each gi{E/m) is a finite cyclic group; 

(iv) if ii{E) has an element of order with p a prime, then ip{p^) < dim((j(i?), where (p is 
Euler’s ip-function. 

Proof. Part (i) holds by Proposition |3II] and the fact that X’’ — 1 is separable over Q for all r G Z>o. 
If p.{E) has an element of prime power order p^, then Q(Cp'i) C E/m for some m, where fpk is a 
primitive p^-th root of unity. Thus <p{p^) < [E/m : Q] < dimQ(i?). Since each E/m is a number 
field, p{E/m) is cyclic. 

□ 

Algorithm 3.4. The algorithm takes as input a commutative Q-algebra E and produces a set of 
generators S of pi{E) as well as a set R of defining relations for S. 

(i) For each n G Spec(i?), use the algorithm in [3] to find all zeroes of A’' — 1 over E/n, for 
r = 1, 2,..., 2[E/'n : Q]^, let Cn S {E/n)* be an element of maximal order among the zeroes 
found, and let k{n) be its order. 

(ii) For each n G Spec(i?), use linear algebra to compute the unique element rja G Egep 
that under the second isomorphism from Proposition 13.11 maps to (1,..., 1, Cn, 1, • ■ •, 1) G 

(with in the n-th position). Output S = {ri„ G p{E) : n G Spec(£’)} and 
i? = {(0,..., 0, fc(n), 0,..., 0) G : n G Spec(£;)}. 

Proposition 3.5. Algorithm \3.4\ produces correct output and runs in polynomial time. 

Proof. If the number field E/n contains a primitive r-th root of unity, then it contains the r-th 
cyclotomic field, which has degree (p{r) over Q; hence (p{r) < [E/n : Q] and r < 2(p{r)‘^ < 2[i?/n : Q]^. 
Together with Lemma l3.3l i). this implies that the algorithm is correct. It runs in polynomial time 
by [4]. □ 

Algorithm 3.6. The algorithm takes as input a commutative Q-algebra E, an element 'y G E, and 
a set ^ = {r]„ G p{E) : n G Spec(i?)} of generators for p.{E) as computed by Algorithm l3.4l It tests 
whether 7 G p{E), and if so, finds (an)neSpec(E) e with 7 = nneSpec(E) ^n"- 

(i) Use linear algebra to test if 7 G Egep. If not, terminate with “no” (that is, 7 ^ P-{E)). 

(ii) Otherwise, for each n G Spec(£’) compute the image 7n of 7 in E/n, and let fn (as in 
Algorithm 13.411 be the image of rjn hr E/n. Try a = 0,1, 2,..., //p{E/n) — 1 until 'y„ = Q, 
and let On = a. If for some n no On exists, terminate with “no”. 

(hi) Otherwise, output (an)neSpec(E)- 

That Algorithm 13.61 produces correct output and runs in polynomial time follows from Lemma 
13.3[ since pL{E/n) = ((„)• 


4 . Orders 

From now on, suppose that A is an order. Let 

E = Aq = A Oz Q, Asep = A n Egep. 

Since Eg^p/Agep C E/A = Aq/A is a torsion group, one has Eg^p = (Asep)Q. 
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Lemma 4.1. We have id(£^sep) = id(i?), id(jlsep) = id(A), and fi{Asep) = 

Proof. This holds because the polynomials — X and X"^ — 1 are separable over Q for all r S 

Z>o. □ 

Algorithm 4.2. The algorithm takes as input an order A and it computes the Q-algebras E and 
Esep C E, as well as the order Agep = Aflifsep: giving a Z-basis for Agep expressed both in the given 
Z-basis of A and in the Q-basis for E^ep- 

(i) We use the given Z-basis for A as a Q-basis for E, with the same structure constants. 

(ii) Let TTi : A —>■ Esep and 7r2 : A —>■ be the compositions of the inclusion A C E with 

the map E ^ Esep © VO from Algorithm 13.21 followed by the natural projections to Esep 
and respectively. Using Algorithm 13.21 compute a Q-basis for Esep and the rational 
matrices describing tti and 7r2. Applying the kernel algorithm in §14 of [5] to an integer 
multiple of the matrix for 7r2, compute a Z-basis for Asep = ker(7r2) expressed in the given 
Z-basis for A. Applying tti to this Z-basis, one obtains the same Z-basis expressed in the 
Q-basis for Esep- 

Algorithm 14.21 is clearly correct and polynomial time. 

5 . Graphs attached to rings 

Lemma 5.1. Suppose that R is a commutative ring, S is a finite set of ideals of R that are not 
R itself, and suppose that Hogs ~ Identify R with its image in riaGS-^/*^- Suppose that 

e = (ea)aG5 G {0; 1}“^ © OaGS e £ R if and only if Ca = Ci, in {0,1} for all a, b S 5 such 

that a -I- b 7 ^ i?. 

Proof. First suppose e £ R. Suppose a, b G 5 and a+b R. Choose e'„ £ {0,1} c i? whose image 
in R/a is Cn = e -I- a, and choose e'j, G {0,1} C i? whose image in R/b is Cb = e + b. Then = e 

mod a and e'j, = e mod b, so e'^ = e = e'j, mod (a -I- b). Since a + b i? we have 1 ^ a + b. Thus, 

e'„ = e'j, in {0,1}, as desired. 

Conversely, suppose that e^ = e^ in {0,1} for all a, b G 5 with a-l-b R. Let T = {a G 5 : Co = 1} 
and U = {b G 5 : Cb = 0}. Then S = TUU. Pick a G T and b G U. By our assumption, a + b = i?. 
Thus, there exist Xa.b £ a and pa.b £ b such that 1 = Xa.b + J/a,b- It follows that j/a,b = 1 mod a and 
i/o b = 0 mod b. For all a G T, define Za = ^ Then Za = 1 mod a and Za = 0 modulo 

each b G U. Define e' = 1 — naGT(l “ G R- Then e' = 1 modulo each a £T, and e' = 0 modulo 

each b £ U. Thus, e' = Ca mod a for each a G 5, so e' = e. □ 

We say that D is an order in a separable Q-algebra if D is an order and Dq = DCzQ is separable. 

Definition 5.2. Suppose that D is an order in a separable Q-algebra Dq. For m, n G Spec(DQ) 
with m 7 ^ n, let 

n{D, m, n) = n D) + (n n D))), 

and let r(Il) denote the graph on Spec(Z?Q) defined by connecting distinct vertices m, n G Spec(IlQ) 
by an edge if and only if n{D, m, n) > 1. 

Lemma 5.3. n(D,m,n) G Z>o. 

Proof. Let R = Df ((m fl D) -|- (n fl D)). Then n{D, m, n) = ffR. Letting —q = — ©z Q, we have 
Rfi = -DQ/((niQ n Dq) -I- (uq n Dq)) = DQ/(m -I- n) = 0 
so R is torsion. Since R is finitely generated as an abelian group, it is finite, so n{D, m, n) G Z>o. □ 
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Example 5.4. Let r € be monic. Then D = 'Z[X]/{f) is an order in a separable Q-algebra 
if and only if / is squarefree. Suppose / is squarefree. Then Dq — Q[X]/(/), and Spec(DQ) 
is in bijection with the set of monic irreducible factors g of / in Z[X], each g corresponding to 
m = {g)/{f)- If g,h correspond to m,n, respectively, then n{D,m,n) = \R{g,h)\, with R denoting 
the resultant. 

Suppose D is an order in a separable Q-algebra. It is natural to ask whether the decomposition 
n mgSpec(DQ)(Proposition [231) gives rise to a decomposition of the order D. This 
depends on the idempotents that are present in D. The graph r(D) tells us which idempotents 
occur in D (see Lemma l5.II and Proposition 15.71) . 

Notation 5.5. Suppose that D is an order in a separable Q-algebra. If IT C Spec(Z3Q), define 
eiu = (em)meSpec(DQ) e id( n Ij^P^dC'Q) 

m€Spec(DQ) 

by Cm = 1 if nr S IT and Cm = 0 if m ^ IT. 

Algorithm 5.6. The algorithm takes an order in a separable Q-algebra and computes the graph 
T{D), its connected components, and its weights n(U,m,n) for all m, n G Spec(IlQ). 

(i) Use Algorithm 13.21 to compute Spec(DQ) and the maps Dq — 7 > Dq/m for m G Spec(ZlQ). 

(ii) For each m G Spec(DQ) compute mflD = ker(D —>• Dq/xn) by applying the kernel algorithm 
in §14 of [5]. 

(iii) For all m 7 ^ n G Spec(IlQ), apply the image algorithm in §14 of [5] to compute a Z-basis of 

image((m (1 D) (B {n (1 D) ^ D) = {m (1 D) + {n (1 D) 

expressed in a Z-basis of H, and compute n{D, m, n) as the absolute value of the determinant 
of the matrix whose columns are those basis vectors. 

(iv) Use the numbers n{D, m,n) to obtain the graph F(Z1) and its connected components. 

The algorithm runs in polynomial time by well-known graph algorithms (see for example [2]). 

Proposition 5.7. Suppose that D is an order in a separable Q-algebra. 

(i) Suppose e = (em)meSpec(DQ) G iddlm= { 0 , l}®P®d£'c!). Then the following are 
equivalent: 

(a) e G 

(b) Cm = Cn whenever m and n are connected in T{D), 

(c) Cm = Cn whenever m and n are in the same connected component ofT{D). 

(ii) Let Q denote the set of connected components of the graph L{D) and recall ew from Defi- 
nition HOI Then IT 1 —>■ ew gives a bijection 

U ^4 prid(Zl) C H C n Dq/xn. 

mGSpec(DQ) 

Proof. Apply Lemma [?1T] with R = D and S' = {m fl H : m G Spec(ZlQ)}. We have PlasS ~ 
= {0} since D injects into Identifying id(n-DQ/iTi) with {0,1}“^, Lemma 

15.11 implies that if e = (em)mGSpec(DQ) G iddl-^Q/i^)! Iben e G H if and only if Cm = Sn for all 
m, n G Spec(IlQ) that are connected in T{D). It follows that for each e = (em)m G id(Zl) the 
components Cm are constant (0 or 1) on each connected component of F(Z1). Part (i) now follows. 
It also follows that there is a bijection 

{subsets of U} —^ id(I?) 

dehned by T i- 7 > with inverse e = (em)m '- 5 > (IT G U : Cn, = 1 for all m G IT}. Under this 

bijection, prid(Il) corresponds to U, and this gives the bijection in (ii). □ 
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Remark 5.8. In particular, by Proposition I5.7f iil an order D is connected if and only if r(I?) is 
connected. 


6 . Finding idempotents 

The set of idempotents of an order may be too large to compute, but the set of primitive idem¬ 
potents is something that we are able to efficiently compute. 

Algorithm 6.1. Given an order A, the algorithm outputs the set of primitive idempotents of A. 

(i) Use Algorithm 14.21 to compute Agep- 

(ii) Use Algorithm 15.61 to compute the graph r(Asep) and its connected components. 

(iii) For each connected component W of r(Asep), with ew S {0, nmGSpec(£;) 

as in Notation 15.51 use the inverse of the square matrix with Q-coefficients that gives the 
natural map Ugep ^ nmGSpec(£;) E jm. oi Proposition 13.II to lift ew to Ugep. Output these 
lifts. 

If follows from Proposition l5.7l iil that the lift ew to Ugep is in Agep, and that Algorithm 16.II gives 
the desired output prid(A). It is clear that it runs in polynomial time. 

7 . Discrete logarithms 

In this section, we suppose that G is a multiplicatively written abelian group with elements 
represented by finite bitstrings. All algorithms in the present section have G as part of their input. 
Thus, saying that they are polynomial-time means that their runtime is bounded by a polynomial 
function of the length of the parameters specifying G plus the length of the rest of the input. We 
suppose that polynomial-time algorithms for the group operations and for equality testing in G are 
available. 

Definition 7.1. We say {S\R) is an efficient presentation for G if S' is a finite set, and we have 
a map / = /s : S —>■ G satisfying: 

(a) /(S) generates G, i.e., the map : Z"® —>• G, {bs)sGS surjective, 

(b) i? C is a finite set of generators for ker( 5 s), 

(c) we have a polynomial-time algorithm that on input 7 G G finds an element of 55 ^( 7 ) (i.e., 
finds (cs)sgs G such that 7 = Oses/(«)'''’)■ 

Notation 7.2. Suppose (S|i?) is an efficient presentation for G. Define 

p ^ p{{mr)reR) = 

rGR 

Suppose T is a finite set and we have a map fr'-T^G. By abuse of notation we usually suppress 
the maps fs and /t and write s for /s(s) and /t(s) and write (T) for {fT{T)). Define 

gx '-ZF ^ (T), {bt)t£T 

teT 

Define h = hr '■ Z^ —>■ Z^ by using (c) to write each t G T as t — OsgS defining 

h{{bt)t^T) = (E btCs^t) sGS ^ Zi 

teT 

so that gx = gs ° h. 

For the remainder of this section we suppose that an efficient presentation (iSli?) for an abelian 
group G is given. 

Algorithm 7.3. The algorithm takes as input G, an efficient presentation for G, and a finite 

set T with a map T ^ G, and outputs a finite set U = Ux oi generators for ker{gx)- 
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(i) Define h — p : iT' x —>■ Z"® by {h — p){x, y) = h{x) — p{y). Use the kernel algorithm in 
§14 of [5] to compute a finite set V of generators for ker(h — p). 

(ii) Compute the image U of V under the projection map Z'^ x Z^ {x,y) i—>■ x. 

correct output and runs in polynomial time. 

h{x) G ker(5s) = im(p) 

3y G Z^ such that h{x) = p{y) 

3y G Z^ such that {h — p){x, y) = 0 
3y G Z^ such that {x, y) G {V) 

X G proj((U)) = (proj(U)) = {U). 

□ 

Algorithm 7.5. The algorithm takes as input G, an efficient presentation {S\R) for G, a finite set 
T with a map T ^ G, and an element 7 G G, and decides whether 7 G (T), and if it is, produces an 
element of (i.e., finds {ct)t^T & such that 7 = riteT^'^*)- 

(i) Apply Algorithm 17..41 with T U { 7 } in place of T to find a finite set of generators Utu{ 7 } *- 
Z^u{ 7 } for ker(gj’u{..y}), where 

5 ru{ 7 } : = Z^ x Z^^^ G, (a;, n) ^ gT{x)'y'^. 

(ii) Map the elements u G UTaij} Z^'-^Ui = ^{ 7 } fo their ZUi-components 11(7) G Z. If 

Z then 7 ^ (T); if 1 = n«M( 7 ) with G 

then 7 G (T) and the Z^-component of — ^ ^’^^{ 7 } _ jT y, ^{ 7 } jg 

Algorithm 7.6. The algorithm takes as input G, an efficient presentation {S\R) for G, and a finite 
set T with a map T ^ G, and outputs an efficient presentation {T\Ut) for (T). 

(i) Apply Algorithm 17.31 to obtain a set Ut of relations. 

(ii) Output the presentation (T|?7t). 

Theorem 7.7. Algorithms |7.5| and produce correct output and run in polynomial time. In 
particular, if one has an efficient presentation for G, and T is a finite set with a map T ^ G, then 
{T\Ut) is an efficient presentation for (T). 

Proof. We have: 

3a; G Z^ such that 7 = grix) 

3a; G Z^ such that (—a;, 1 ) G ker((; 7 ’u|.y} : Z^ x Z —>■ G) = (U 7 ’u{ 7 }) 

1 G im(proj : C Z^ x Z —>■ Z) 

3 (u„)ue(7ru{7}’3® ^ that = (-a;, 1) 

U 

where proj is projection onto the second component. □ 

Algorithm 7.8. The algorithm takes as input G, an efficient presentation for G, hnite sets 

T and T', and maps /t : T —>■ G and /t' : T' —>■ G, and outputs a finite set of generators for the 
kernel of the composition Z^ —>■ G —?> G/ (T'), where Z^ —>■ G is the map gx- 



Theorem 7.4. Algorithm \ 7 . produces 
Proof. We have: 

X G ker((7T) 
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(i) Apply Algorithm 17.31 to the finite set TUT' and the map T U T' ^ G obtained from fx 
and fx', to obtain generators for the kernel of the map 

X Z"^' = Z^'-'"^' -)> G, (x, y) gx{x) - gx' (y)- 

(ii) Project these generators to their Z^-component. 

Theorem 7.9. Algorithm \ 7. 8\ produces correct output and runs in polynomial time. 

Proof. We have: 

X e ker(Z^ -)> G/{T')) gx{x) S {T') = im{gx') 

3y G iF such that gxix) = gx'{y) 

3y G Z^ such that (x, y) G ker(Z^ x Z^ —>• G) 

^ X G proj(ker(Z^ x iT" ^ G) ^ iT') 

where proj denotes projection onto the Z^-component. □ 

Proof of Theorem 11.31 One starts by computing E = A®zQ, using the same structure constants 
as for A. Algorithm 13.41 produces a presentation for n{E), and by Algorithm 13.61 this is an efficient 
presentation. Given T and C as in Theorem ll.31 one can test whether ^ G A by Algorithm l3.6l Now 
Theorem [O] is obtained from Algorithm 17.51 with G = pl{E) and 7 = C- 


8. Separable polynomials over connected rings 


Proposition 18.iT bl will be used to prove Proposition 110.51 below. 

Proposition 8.1. Suppose R is a connected commutative ring, f G and R[X]f + R[X]f' = 

R[X]. Then: 

(a) if r,s € R and f{r) = f{s) = 0, then r — s € {0} U R*; 

(b) if S is a non-zero ring and p : R ^ S is a ring homomorphism, then the restriction of ip 
to {r € R : f{r) = 0} is injective; 

(c) / ^ 0 and #{r G R : f{r) = 0} < deg(/). 


Proof. Suppose /(r) = /(s) = 0. Write f = {X — r)g and \ = hf kf with g,h,k G R[X]. Then 
g{r) = f'{r) G R*. Since g{s) = g{r) mod (r — s)R we can write g{s) = g(r) + (r — s)t with t € R. 
Thus, 0 = f{s) = (s - r)g(s) = (s - r)(y(r) + (r - s)t), so 

(8.1) {s-r)g{r) =t{s-r)‘^. 

Thus, t ■ {s — r) ■ g{r)~^ = {t ■ {s — r) ■ g{r)~^)‘^, an idempotent. If t • (s — r) • g{r)~^ = 0, then by 
(18.111 we have (s — r)g{r) = 0, and thus r — s = 0 since g{r) G R*. If t • (s — r) • g{r)~^ = 1, then 
r — s £ R*. This gives (a). 

For (b), suppose r,s £ R, r ^ s, and /(r) = f{s) = 0. By (a) we have r — s £ R*. Since 
:/ 3 (l) = I ^ 0, we have ip{r — s) 0. 

For (c), let m be a maximal ideal of R. Then R —>■ R/m induces a map 

{r G i? : /(r) = 0} —>■ {m G R/m : (/ mod tn)(u) = 0} 

that is injective by (b). Since R/m is a field and / mod m G (i?/Tn)[A] is non-zero, we have 

#{r G R : f{r) = 0} < deg(/ mod m) < deg(/). 


□ 


Corollary 8.2. Suppose R is a connected commutative ring, m £ Z>o, and m ■ 1 £ R*. Then 
{(/ £ R = 1} is a cyclic subgroup of R* whose order divides m. 
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Proof. Applying Proposition 18.11 with / = A"* — 1 gives that the subgroup has order dividing m. 
Applying Proposition 18.II with / = X‘^ — 1 for each divisor d of m gives that this abelian subgroup 
has at most d elements of order dividing d, and thus is cyclic. □ 

9. From fi{E) to ^(B) 

Fix an order A. Recall that E = Aq = A(g)zQ and Asjgp = AnBgep. For m G Spec(if), the image 
of Asep in E/m may be identified with Agep/ (nr fl Agep); it is a ring of which the additive group is a 
finitely generated subgroup of the Q-vector space E/m, so it is an order. We now write 

(9.1) B= Asep/(mn Asep). 

mGSpec(E) 

This is an order in rimGSpec(E) We identify Agep with its image in B under the map 

Bsep ^ E/m 

mGSpec{E) 

and identify B with a subring of Esep using the same map. One has 

-^sep CBC Bsep ■ 

Since the abelian group B/A^ep is both torsion and finitely generated, it is finite, and one has 
Bq = Bsep. The graph r(B) consists of the vertices m G Spec(B) and no edges. 

Proposition 9.1. There is a deterministic polynomial-time algorithm that, given an order A, com¬ 
putes a Z-hasis for Asep/(tn fl Agep) in E/m for every m G Spec(B), a Z-basis for B in Bgep, and 
the index {B : Agep). 

Proof. One simply computes a Z-basis for Agep as in Algorithm 14.21 and a Z-basis for the image 
of the map Agep C Bgep — 5^ E/m using the image algorithm in §14 of [5], for each m G Spec(B). 
Combining these bases for all m and applying the inverse of the second isomorphism in Proposition 
lO one finds a Z-basis for B in Egep- The index (B : Agep) is the absolute value of the determinant 
of any matrix expressing a Z-basis for Agep in a Z-basis for B. □ 

Proposition 9.2. For each order A and each m G Spec(B) the group ^(Asep/(mn Agep)) is finite 
cyclic. Also, there is a deterministic polynomial-time algorithm that, given A and m, computes a 
generator 9m o//i(Asep/(Tnn Agep)), its order, the complete prime factorization of its order, and, for 
each prime number p a generator 0m,p for ^(Asep/(ni fl Asep))p- 

Proof. The first statement follows from Lemma [231(111) • For 0 ,t, one can take the first power of the 
generator Cm of fi{E/m) found in Algorithm 13.41 that belongs to Asep/(tn fl Agep), i.e., for which all 
coordinates on a Z-basis of Asep/(mn Aggp) (which is a Q-basis of E/m) are integers. The order 
of 9m is then easy to write down, and since the prime numbers dividing that order are, by Lemma 
I3.3f ivl. bounded by 1 -l-rankz(A), it is also easy to factor into primes. If p^ is a prime power exactly 

dividing order(0m), one can take 9m,p = , □ 

Proposition 9.3. There is a deterministic polynomial-time algorithm that, given an order A, de¬ 
termines all prime factors p of f/pL{B), with B as in (19.11) . as well as an efficient presentation for 
pi{B) and, for each p, an efficient presentation for p,{B)p. 

Proof. This follows directly from Proposition (231 and the isomorphisms 

TiB) = n fd-Agep)) Und fi(^B^p — //(74.sep/(nT n-i4gep))j5 

m£Spec{E) m£Spec{E) 

in the same way as for fi{E) in section [21 □ 
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10. From to fi{C)p 

Let A, E, Asep, and B be as in the previous section, and fix a prime number p. Let 

(10.1) c = ^ep [1/p] n s. 

We have 

^sep CC CB C 

so C is an order with Cq = Fgep, and 

C = {x G B : p^x G ^sep for some i G Z>o}. 

The group C/Agep is finite of p-power order, and the group B/C is finite of order prime to p. 
These orders can be quickly computed from the order of B/Asep computed in Proposition 19.11 We 
emphasize that C depends on p. 

Let t = {B : C). Then C/Agep = t{B/Ag^p), so C = tB + Agep, which is the image of the map 
B © Agep —t B, {x, y) tx + y. Thus one can find a Z-basis for C from the image algorithm in §14 

of 0. 

Proposition 10.1. Suppose that A is an order and p is a prime. Suppose m,n G Spec(iil) with 
m 7 ^ n. Then: 

(i) C/((m n (7) + (n n C)) is the non-p-component of ^sep/((ni H Agep) + (n fl Agep)); 

(ii) m and n are connected in r(C') if and only if n{Asep,m,n) ^ p^^°. 

Proof. For Z = ^sep, B, and C, write Z for the finite abelian group Z/((mnZ) + (nflZ)) (cf. Lemma 
I5.3[l . Let p'" = {C : Agep) and t = {B : C). Then gcd(p’’,t) = 1. Since r(i3) has no edges, we have 

(m n i?) + (n n B) = B, so B = 0. Consider the maps Agep < " C < " 5 = 0 where a map 

p’’ * 

Z\ — Z 2 is the map induced by multiplication by d on Zi. (The maps are well-defined since 
.4sep ClC C B and p^C C Asep and tC C B.) 

Since 5 = 0, taking the composition C — 5 —C shows that tC = 0. li x G C and 

~ ~ 1 ~ 

p^X = 0, then since gcd(p'’, t) = 1 we have x = 0. Thus, the composition C -^ Agep-^ C is an 

injection, and thus an automorphism a of the finite abelian group C. It follows that Agep —C is 

surjective and C - 5 - klgep is injective. Further, letting Asep[p’^] denote the kernel of multiplication 

by p^ in Asep, we have 

ker( isep —^ C ) = ker( i^ep —^ C A^ep ) = A^ep [p’']. 

This gives a split short exact sequence 

0-^ Asep [p 1-^ Asep c -^ 0 

p^a ^ 

with C killed by t. Thus C is the non-p-component of Agep, proving (i). 

We have n(Asep,Tn, n) ^ p^^° if and only if Agep is not a p-group, i.e., if and only if (7 7 ^ 0 (by 
(i)). But (7 7 ^ 0 if and only if m and n are connected in r((7). This gives (ii). □ 

One could compute r((7) by applying Algorithm 15.61 with D = C. Thanks to Proposition 110.11 
we can compute r((7) without actually computing (7, as follows. 

Algorithm 10.2. The algorithm takes an order A and the numbers n(Asep, nr, n), and computes 
the graph r((7) and its connected components. 
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(i) Connect two vertices m and n if and only if n{Asep, tn, n) ^ . 

(ii) Output the associated graph and the connected components. 

Definition 10.3. If 1C C Spec(i?), let Cw denote the image of C in the quotient 

^sep/(TnnA 

sep) 

of B. 

Lemma 10.4. Let O denote the set of eonneeted components of the graph r(C). Then the natural 
map F : C ^ Ovuen is an isomorphism. 

Proof. The map F is injective, since 

ocB=i[ n ^sep/(TU O A sep)- 

VKGnmGXV 

If fw '■ C Cw is the natural map, ew is as defined in Notation 15.51 with D = C, and x = 
{fw{cw))w^o, is an arbitrary element of Oiuen then ^w^w) = x, so F is surjective. 

The result now follows from Proposition 15 . 7f iil. □ 

Proposition 10.5. Suppose A is an order and p is a prime number. Recall C as defined in pO.ip . 
Fix a subset W C Spec(iil) for which the induced subgraph ofT{C) is connected. Then: 

(i) the ring Cw is connected, 

(ii) the natural map p,{Cw)p —>■ M(C'{m})p is injective for all m G W, 

(iii) the group p,{Cw)p is cyclic, 

(iv) ifW is a non-empty subset ofW, then the natural map p{Cw)p —>■ At(CvF')p is injective. 

Proof. Part (i) follows from Lemma l5. II 

Let Bw — Omew "^sep/C ^sep)- IVe have 

\A{Cw [1/p]) C id I £’/m I = id{Bw)- 
VmgW / 

Recall B from m- Since {B : C) is coprime to p, so is {Bw '■ Cw)- Suppose e G 'vi{Cw [1/p])- 
Then e G id{Bw) and there exists m G Z — pZ such that me G Cw (e.g., m = {Bw ■ Cw))- Further, 
there exists k G Z>o such that p^e G Cw- Since m and p^ are coprime, we have e G Cw- Thus, 
id)^^^ [1/p]) = id(Crv) = {0,1}, so Cw [1/p] is connected. Now by Corollarv l8.2l with R = Cw [1/p] 
and m = ffpL{Cw [l/p])p, the group p{Cw [l/p])p is cyclic, so its subgroup p{Cw)p is cyclic as 
well, which is (iii). Also, by Proposition IS.lf bl with R = Cw [1/p] and / = A™ — 1, the map 
p{Cw [l/p])p —>■ h { Cw ' [l/p])p is injective for each non-empty W C W . This implies (iv). With 
W = {m} one obtains (ii). □ 

Remark 10.6. If A is a connected order in a separable Q-algebra and p is a prime number that 
does not divide ff{B/A), then p{A)p is cyclic. This follows from Proposition 110.51 1111 : C = A since 
E = Esep and p j ff{B/A), and one can take C = Cw since A is connected. 

By Proposition IIP. 5l ii. iii'). if IF is a connected component of r(C), then the natural map 

p{Cw)p m(^/(r* fl ^))p 

is injective for all m G IF, and p{Cw)p is cyclic. This gives an efficient algorithm for computing 
h-{Cw)pi and thus a set of generators for p{C)p, as follows. 

Algorithm 10.7. Given an order A and a prime p, the algorithm finds an efficient presentation for 
p{C)p. 
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(i) Apply Algorithm 19.21 to compute a generator of the cyclic group /x(Asep/(m fl Asep))p for 
each m G Spec(A). 

(ii) Apply Algorithm 110.21 to compute r(C') and its connected components W. 

(iii) For each W, do the following: 

(a) Apply the image algorithm in §14 of [5] to compute a basis for the order 

Cw = image(C' —^ E/m). 

m^W 

(b) Pick mi G VF with #/x(Asep/(mi fl Asep))p minimal. 

(c) Choose 

Wi = {mi} C W 2 = {mi, m2} C ... cW 

such that #Wi = i for all i > 1, and Wi = Wi-i U {m^} for all i > 2, and each m^ is 
connected in r(C') to some m^ with j < i. 

(d) For i = 1,2,... compute each fJ,{Cwi)p, and a generator for it, in succession by using 
that ^J.{Cwi)p = /4(Asep/(iTii n Asep))p is given, and for i > 1 listing all ordered pairs 
in fJ,{Cwi-i)p X At(Asep/(Tni fl Asep))p and testing whether they are in Cwi, and using 
that 

l^{Cwi)p — ^Wi C {f.l‘{C\Y^_^)p X /j(Asep/(mj n Asep))p). 

This gives a generator of fJ,{Cw)p for each W in the set fl of connected components 
of F(C'). Let Cw G Y\v^^n^^^^v)p be the element with this generator as its VF-th 
component, and all other components 1. 

(iv) View the set S = {Cw : IF G 11} in ^i(C)p via the isomorphism ^i(C)p = Owen m(C'w)p of 
Lemma fl 0.41 let R = {order(Cw)(lF-th basis vector)}, and output {S\R). 


Proposition 10.8. AIgorithm \10.7\ gives correct output and runs in polynomial time. 


Proof. By Lemma 110.41 we have C ^ Hw Thus, fJ,{C)p ^ t‘‘i^w)p so the output of the 
algorithm is a set of generators for p.{C)p. We have 

^Wi C X — Agep/(mi n Agep). 


Thus, 

t^{Cwi)p C ll{CWi_\)p X /i(Asep/(mi n Asep))p. 

By Proposition 110.51 the group fJ-iCwJp injects into each factor, and each factor is cyclic of prime 
power order. Each factor has size polynomial in the size of the algorithm’s inputs (given an order of 
rank n and an element of order p^, we have (p{p^) < n by Lemma [3.31 so p^ < 2n). By Proposition 
110.5l iil the natural map fJ‘{Clwi)p —t /^(Asep/(Tni H Asep))p is injective, for all i. As i gets larger, the 
groups pi(Cwi)p get smaller or stay the same. Thus one can list all ordered pairs, and then efficiently 
test whether they are in Cwi ■ It follows from the above that the algorithm runs in polynomial time. 
The presentation (511?) is efficient by Algorithm l7.bl and Proposition l9.31 since fJ.{C)p C P‘{B)p. □ 


Remark 10.9. A more intelligent algorithm for step (iii)(d) is to use that each p.{Cwi)p is cyclic 
(by Proposition llO.Sf iii')'). and that ti{Cwi)p C t^(C'rv._Jp, as follows. Starting with i = 1 and 
incrementing i, proceed as follows in place of step (d). If yi{Cwi-i)p trivial, stop. Otherwise, take 
an element oi G pi{Cwi-i)p of order p and for each of the p — 1 elements bi G /r(Asep/(m^ fl Asep))p 
of order p test whether (ai,&i) G Cwi- If there are none, stop (the group is trivial for that Wi). If 
there is such a pair (ai, 6 i) G /i(C'wJ, if ffpi(Cwi)p = P then stop with (ai, 6 i) as generator, and 
otherwise take each 02 G p{Cwi-i)p that is a p-th root of Oi and for each of the p possible choices of 
elements 62 G M(Asep/(iTii 0 Asep))p that are a p-th root of &i, test whether ( 02 , 1 ) 2 ) G C'wi- As soon 
as such is found, if ffpi'(Cwi)p = P^ then stop with ( 02 , 62 ) as generator, and otherwise continue this 
process. Injecting into each component implies one only needs to check ordered pairs with the same 
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order in each component. Since ^fJ-{Cwi)p divides one only needs to go up to elements 

of order #^^{Cwi-^)p■ The number of trials is < plogp(#/r(C'n/;_ Jp), since there are p choices each 
time, and there are logp(#/i(C'vUi_i)p) steps. The final {aj,bj) found is a generator for fi{Cwi)p- 


11. Nilpotent ideals in finite rings 

Suppose i? is a finite commutative ring and / is a nilpotent ideal of R. Algorithm 111.31 below 
solves the discrete logarithm problem in the multiplicative group 1 + /, using the finite filtration: 

1 + / D 1 +/^ D 1 +D • • • A 1, 

the fact that the map a; i-A 1 + a; is an isomorphism from the additive group //^ ^ to the 
multiplicative group (1 + /^')/(l + and the fact that the discrete logarithm problem is easy 

in these additive groups. 

We specify a finite commutative ring by giving a presentation for its additive group, i.e., a finite set 
of generators and a finite set of relations, and for every pair of generators their product is expressed 
as a Z-linear combination of the generators. 

The following result can be shown using standard methods. 


Proposition 11.1. There is a deterministic polynomial-time algorithm that, given a finite commu¬ 
tative ring R and 2 ideals R and R of R such that R C R, computes an effieient presentation of 
the finite abelian group R/R. 

Lemma 11.2. Suppose R is a finite commutative ring, I is an ideal of R such that I C \/Qr, and 
for each i € Z>o the set Bi is a subset of R such that Bi U R generates the additive group R . 
Let B = U*>o Bi. Then l + /=(l + 5:6sS) (as a multiplicative group). 


Proof. Since I is nilpotent, 1 -\- R is a multiplicative group for all i G Z>o. We have 


R /R 


{i + R )/ii + R ) 


via a; 1 + cc. Since Bi U R'*^ generates the additive group R\ we have that Bi + R'*^ generates 
R' / R'^^. li R = 0 , then Bk generates R and l-\- Bk generates the multiplicative group l-\- R . 
It now follows that 1 -\- B generates 1 + /. □ 


Algorithm 11.3. Given a finite commutative ring R, an ideal I of R such that I C y/O, for each 
i G Z>o a subset Bi of R' such that Bi uR*^^ generates the additive group R' , with all but finitely 
many Bi = 0, and x £ I, the algorithm computes {mb)beB G with 1 + a; = where 

Bi, as follows. 

(i) Let xq = X. For i = 0,1, . .. use Proposition II 1.11 to find {mb)b£Bi G Z-®* such that 
Xi = mbb mod R ^ {in R /R ^ ). 

beBi 

Define Xi+i G R'*^ by 

1 + Xi+i = (1 + Xi) (1 + 6 ) 

b€Bi 

As soon as Xi+i = 0, terminate, setting mb = 0 for all b G Bj with j > i and outputting 
{mb)b^B G 


Proposition 11.4. Algorithm \11.A is a deterministic algorithm that produces correct outputs in 
polynomial time. 
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Proof. Since / is a nilpotent ideal, there exists j S Z>o such that = 0. Then xj = 0 and the 
algorithm gives 

i+x=i+xo= n (i+^n= 

f>6Ui<j Bi bdB 


as desired. 


□ 


Lemma 11.5. There is a deterministic polynomial-time algorithm that, given a finite commutative 
ring R, an ideal I of R such that I C and for each i G Z>o a subset Bi of P such that 
BiUP ^ generates the additive group P , computes a 1-basis for the kernel of the map 1? —> 1 + /, 
(TOb)beB nb(l + where B = Bi. 

Proof. Let Cj = U/c>j ^j- We proceed by induction on decreasing j. We have (1 + Cj) = 1 + P^ 
(applying Lemma [11.21 with P^ in place of I). Assume we already have defining relations for 1 + Cj, 
i.e., we have generators for the kernel of l'^^ l-\-P\ {mb)bGCj ribec + would like 

to find dehning relations for 1 -\-Cj-i. Proposition lll.11 gives an algorithm for finding a basis for the 
kernel of P' ^ /P\ (nb)beSi_i IlbeSj- ^ Ubb + P^ in polynomial time. For each defining 

relation (nb)beBj_i for Bj-i + P^ we have '^beBj-i B,bb = 0 mod P^ so nbGBj-i(^ ^ 

(1 + P^). Algorithm 111.31 gives a polynomial-time algorithm to find {mb')b'^Cj G such that 

nbeS3 _i(l + = rib'ec/l + G l + P'. Then ((n6)heBj_i, (-mb')b'eCj) is in the kernel of 

the map 1^^-^ 1 -\- P^ \ and these relations along with the dehning relations for 1 -|- Cj form a 
set of dehning relations for 1 -|- Cl,_i. □ 

Theorem 11.6. There is a deterministic polynomial-time algorithm that, given a finite commutative 
ring and an ideal I of R such that I C produces an efficient presentation (1 -f B\TZ) for 1 -\-1. 

Proof. Apply the algorithm in Proposition II 1.11 to obtain for each i G 1>o a set Bi C P such that 
BiU P^ generates the additive group P . Since / is nilpotent, we can take Bi = % for all but 
hnitely many i. By Lemma ril.2l the set B = Uj>o Bi has the property that 1 -\- B generates 1 -I- /. 
Dehning relations TZ are given by Lemma 111.51 and part (c) of Dehnition 17.11 holds by Proposition 

\m\ □ 

Theorem 11.41 now follows from Theorem 111.61 and Algorithm 17.61 

Remark 11.7. Suppose i? is a hnite commutative ring, / C i? is a nilpotent ideal, and R' is a 
subring of R. Let P = I C\ R'. The algorithm in Theorem 111.61 gives efficient presentations for the 
multiplicative groups 1 -I- / and 1 -I- We can apply Algorithm 17.81 with G = 1 -I- / C i?*, and T' a 
set of generators for 1 -1- and T a set of generators for some subgroup of 1 -I- /. In the next section 
we will apply this to our setting. 

Example 11. 8. Let R = Ijp^l and / = a/Or = pljp^l. Then P = 0, and 1 -I- / is the order 
p subgroup of illp^l)* = If pi X Ijfp — 1)Z. The map 1 -I- / A- Ijpl, 1 -|- x !->■ xjp is a group 
isomorphism, so the discrete logarithm problem is easy in 1 

Example 11.9. Let R = Ijp^l and I = ^/0R = pljp'^l. Then P = 0. Here, the map 1 ^ 

Ijp^l, l-\-x ^ x/p\s not a group homomorphism. The discrete logarithm problem is easy in 1 / 

not because it is (isomorphic to) an additive group, but because there is a filtration of additive 
groups, namely, (1 -|- /)/(! -I- P) = I/P and (1 -|- P)/p P) = P/P = P. 
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12. From ^J^{C)p to 

Let A be an order and let p be a prime. Recall C from Definition 110.11 and let 

f={xGC:xCc Aep}, 

which is the largest ideal of C that is contained in A. We shall see that C/f is a finite ring, and it 
has Asep/f as a subring. Suppose we are given a set M C C* such that fJ,{C)p = (M). Let 

/= ^(C-l)(C'/f), /' = Jn(^ep/f). 

C 6 M 

Define 

CeM 

let 52 : f^{C)p —t 1 + / be the natural map C '-t C + f; let 5 : fJ-{C)p —>■ (1 + /)/(! + I') denote the 
composition of 52 with the quotient map, define g : —>■ 1 + / by 5 = 52 o 51 , and define 

( 12 . 1 ) if) ^ {1 +1)/{1 +1') by il) = gogi. 

Proposition 12.1. With notation as above, 

(i) I is a nilpotent ideal ofCj^, i.e., I C ^/OcTf/ 

(ii) /' is a nilpotent ideal of Agep/f; 

(iii) Cff is a finite ring of p-power order, 

(iv) p.{A)p is the kernel of the map g; 

(v) pi{A)p is the image of ker(' 0 ) under the map gi. 

Proof. Since C/A is killed by p’' for some r G Z>o, we have p’' G f, so p G ^/0c/f^ so p is in every 
prime ideal of C/f. Suppose (/ G p(C')p. Then the image of f in every field of characteristic p is 
1. Thus, ^ — 1 is in every prime ideal of C/f, so C — 1 G sj^c/p By the definition of I we have 
I C y'Oc/f, and (i) and (ii) follow. 

Since p*" G f we have p’'C C f, so C/f is a quotient of C/p^C, which is a finite ring of p-power 
order. This gives (iii). 

Part (iv) follows directly from the definitions, and then (v) follows from (iv). □ 

Algorithm 12.2. The algorithm takes as input an order A, a prime p, and a finite set of generators 
M for g{C)p, and computes a finite set of generators for p{A)p. 

(i) Compute the finite abelian group C/Agep and 

Hom(C, C/Asep) = (C/Asep) © (C/Asep) © • • • © (C/Asep) 

(with rankz(C) summands C/Agep), and compute f as the kernel of the group homomor¬ 
phism Asep —t Hom(C, C/Asep) sending x G Agep to the map y ^ xy-\- Agep- Next compute 
the finite rings Aggp/f C C/f. This entire step can be done using standard algorithms for 
finitely generated abelian groups. 

(ii) Apply the algorithm in Theorem 111.61 with R = C/f and the I of this section to obtain an 
efficient presentation for 1 + I. 

(iii) Apply the algorithm in Theorem 111.61 with R = Agep/f and /' in place of I to obtain a finite 
set T' of generators for 1 + /'. 

(iv) Apply Algorithm 17.81 with G = 1 + /, the efficient presentation from step (ii), T = M, and 
T' from step (iii) to obtain a finite set of generators S' for ker(Z^ —>■ G/{T')). 

(v) Take the image of S' under the map gi : —>• g,{C)p. 


Theorem 12.3. Alaorithm \12.2\ vroduces correct output and runs in polynomial time. 
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Proof. Since C/f and Asep/f are finite commutative rings, and I and I' are nilpotent, Theorem II 1.61 
is applicable in steps (ii) and (iii). The map ^ G/{T') = (1 + /)/(! + I') in step (iv) is 

our map if from (112.11) . By Proposition 112.If vl. step (v) produces generators for fi{A)p. □ 

13. Finding roots of unity 

Algorithm 13.1. Given an order A, the algorithm outputs a finite set of generators for fi{A). 

(i) Use Algorithm 13.21 to compute Esep, all m G Spec(U), the fields E/m, and the natural maps 
E —>■ E/m. 

(ii) Apply Algorithm 14.21 to compute Asep = Ad Esep- 

(iii) Apply Algorithm 19.11 to compute for each m G Spec(U) the subring Asep/(Tn l~l Agep) of 

-Ugep/ni. 

(iv) Apply the algorithm in Proposition 19.21 to compute, for each m G Spec(U), a generator 6^ 
for fi{Asep /(m l~l Agep)), its order, the prime factorization of its order, and for each prime p 
dividing its order a generator 9m^p of p{Asep /(ni (~l Asep))p. 

(v) For each prime p dividing the order of at least one of the groups p{Asep/ (mi~l Agep)), do the 
following: 

(a) Use the image algorithm in §14 of [ 5 ] to compute a Z-basis for C = Asep[l/p] H B (as 
discussed in ifTOl above, just before Proposition IIP. 1|1 . 

(b) Apply Algorithm 1 10. 71 to compute an efficient presentation for p{C)p. 

(c) Apply Algorithm 112.21 to compute generators for p{A)p. 

(vi) Generators for these groups p{A)p form a set of generators for pl{A). 

That Algorithm 113.11 produces correct output and runs in polynomial time follows immediately. 
We can now obtain a deterministic polynomial-time algorithm that, given an order A, determines 
an efficient presentation for /r(A). 

Algorithm 13.2. The algorithm takes an order A and produces an efficient presentation for p{A). 

(i) Apply the algorithm in Proposition 19.31 to obtain an efficient presentation {S\R) for p{B). 

(ii) Apply Algorithm 1 13. II to obtain a finite set of generators for p{A). 

(iii) Apply Algorithm 17.61 with G = p{B) to obtain an efficient presentation for p,{A). 

Example 13.3. Let A = Z[A]/(A"* — 1). Then with p = 2: 

B = C = 1[X]/{X - 1) X Z[A]/(A + l)x Z[A]/(a2 + 1) ^ Z x Z x Z[i], 
and {G : A) = 8. We identify X with (1, —1, i) G Z x Z x Z[i]. Then 

p[A )2 = p{A) c piB) = piG )2 = ((-1,1,1), (1,-1,1), (1,1, i)). 

We have 

f = 4Z X 4Z X 2Z[i] 

of index 64 in C, and 

C/f = Z/4Z X Z/4Z X Z[i]/2Z[i] = Z/4Z x Z/4Z x Fsie] 
with e = 1 -I- i. The index 8 subring of G/f generated by (1, —1,1 -I- e) is A/f. Alternatively, 

A/f = {Z/AZ)[Y]/{2Y,Y^) 

where Y = A — 1 = (0, 2, e) G A/f. With M = {(—1,1,1), (1, —1,1), (1,1, i)} we have 

/ = (2Z/4Z) X (2Z/4Z) X (eFale]) = 

P = 0, and 

/'= / n (A/f) = = {0,2, r, r + 2}. 
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With tp as in (|12.1|) . we have '0(a, &, c) = a + 6 + c + 2Z G Z/2Z and 

keT{'tp) = {(a, b, c) G : a + & + c is even} = Z • (2, 0,0) + Z • (1,1, 0) + Z • (1,0,1). 
Algorithm 113.11 outputs 

/r(A) = fi{A )2 = i-X^) X {-X^) = {X, -1) ^ Z/2Z x Z/4Z. 

Example 13.4. Let A = 1\X\I{X^'^ - 1). Then 

E = Q[A]/(a12 - 1) ^ Q X Q X Q(C3) X Q(i) x Q(C3) x Q(Ci2) 

and 

B= Z[A]/(A-1) X Z[A]/(X + 1) X Z[X]/{X^ + X+ 1) 

xZ[A]/(A2 + 1) X Z[A]/(A2-A + 1) X 'L[X]/(X'^ - X'^+ 1) ^ E. 

We have for the discriminants of the orders: 

|Ab| = 1-1-3-4-3-122, |Aa| = 12^2, 

SO 

#{B/A) = V\^a\/\Ab\ = 29.3^. 

Thus if p = 2 then (C : A) = 2®, while if p = 3 then (C : A) = 3"*. The graph T{B) consists of 6 
vertices with no edges. With the numbers n(A,m,n) on the edges, the graph r(A) is: 

(A + 1) 



We have /r(C')2 = with the product running over the 3 connected components W. 

The left 2 IT’s give fi{Cw )2 = {±1}, while the remaining one gives fJ,{Cw )2 = {—X^). This gives 

-X3,-1gM^)2. 
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Suppose p = 3. Then the graph r(C') is: 


•-• 






•-• 

We have fi{C )3 = H f^{Cw )3 with the product running over the 2 connected components W. The 
top W has fJ,{Cw )3 = {!}, while for the bottom W one has that fi{Cw )3 is generated by the image 
of X'^, and this gives G m(^) 3- 

Continuing the algorithm by hand is more complicated than in the previous example. However, 
we note that here A is the order Z(G) defined in [7] with G = (—1) x {X) = Z/2Z x Z/12Z, and it 
follows from Remark 16.3 of [7] that /i(A) = G = (—1) x (X). 
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